home.social

#rokrat — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #rokrat, aggregated by home.social.

  1. APT37 Exploits Facebook for RokRAT Malware Delivery

    North Korean hackers APT37 have cleverly turned Facebook friend requests into a sneaky way to deliver RokRAT malware, exploiting our natural tendency to trust social connections. By accepting a friend request, victims unwittingly open the door to a remote access trojan that can compromise their device.

    osintsights.com/apt37-exploits

    #Apt37 #Rokrat #SocialEngineering #MalwareDelivery #NorthKorea

  2. ScarCruft (APT37) is running Operation HanKook Phantom → phishing South Korean academics w/ RokRAT malware.
    🔹 LNK loaders + fileless PowerShell
    🔹 Exfil via Dropbox & GDrive
    🔹 Goal: espionage & persistence
    💬 Should academia ramp up defenses to enterprise SOC levels, or is that unrealistic?
    Follow @technadu for more threat intel.

    #CyberSecurity #APT37 #ScarCruft #RokRAT #Phishing #ThreatIntel

  3. ScarCruft (APT37) is running Operation HanKook Phantom → phishing South Korean academics w/ RokRAT malware.
    🔹 LNK loaders + fileless PowerShell
    🔹 Exfil via Dropbox & GDrive
    🔹 Goal: espionage & persistence
    💬 Should academia ramp up defenses to enterprise SOC levels, or is that unrealistic?
    Follow @technadu for more threat intel.

    #CyberSecurity #APT37 #ScarCruft #RokRAT #Phishing #ThreatIntel

  4. Happy Tuesday everyone!

    #APT37, aka #ScarCruft, is at it again! SentinelOne researchers noticed that they are targeting media organizations and others that are associated with North Korean affairs. The group leverages .LNK files, zip files, and phishing emails.

    I found this article most interesting because of the multiple types of file formats that were used, to include .bat and .dat files, involved in the campaign. They also use a custom backdoor known as #RokRat to aid in their attack. This is a great article and worth the time! Enjoy and Happy Hunting!

    Notable MITRE ATT&CK TTPs and Behaviors:
    TA0001 - Initial Access
    T1566.001 - Phishing: Spearphishing Attachment

    TA0002 - Execution
    T1059.001 - Command And Scripting Interpreter: Powershell
    T1204.001 - User Execution: Malicious Link

    sentinelone.com/labs/a-glimpse

    #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #gethunting

  5. NEW research on my blog!

    The evolution of North Korean threat group #APT37's Android spyware: #ROKRAT & #RambleOn

    In this research I perform a comparative analysis between ROKRAT & RambleOn, North Korean threat group APT37's Android malware.

    Link: 0x0v1.com/the-evolution-of-apt

    #threatintel #apt #reverseengineering #malware #spyware #northkorea

  6. Just uploaded my #APT37 #ROKRAT shellcode decrypter script to my github. Hope this helps malware researchers out there

    github.com/0x0v1/MalwareRETool

  7. I just published a script that will assist malware researchers looking at #APT37's #ROKRAT to decode the PS reflection portion of the loader phase. It gives analysts the option to pull shellcode from the payload delivery host quickly for timely analysis.

    github.com/0x0v1/MalwareRETool

    I will later publish a script to deencrypt the shellcode for analysis - just need to clean a few things up in it.

  8. Happy Tuesday everyone! #APT37 is the topic of today's #readoftheday, specifically ThreatMon takes a deep-dive into the #RokRat malware, which is a remote access trojan (RAT). Enjoy and Happy Hunting!

    Link to article in the comments!

    ***AS usual I am going to leave one of the MITRE ATT&CK blank. I would like to see if any of you that see this can help FILL in that blank! If so, leave your thoughts in the comments OR send me a DM!***

    Notable MITRE ATT&CK TTPs:
    TA0007 - Discovery
    T1087 - Account Discovery
    T1083 - File and Directory Discovery
    T1018 - Remote System Discovery
    T1082 - System Information Discovery

    TA0009 - Collection
    T[What technique covers the threat actor capturing information under the TEMP folder?] - Good luck!

    TA0011 - Command And Control
    T1071.001 - Application Layer Protocol: Web Protocols

    TA0002 - Execution
    T1059.003 - Command and Scripting Interpreter: Windows Command Shell

    #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting